develooper Front page | perl.perl5.porters | Postings from August 2010

Current directory in @INC potentially harmful

Thread Next
From:
Ansgar Burchardt
Date:
August 4, 2010 15:25
Subject:
Current directory in @INC potentially harmful
Message ID:
87k4o6awbs.fsf@marvin.43-1.org
Hi,

perl includes the current directory as the last element in @INC when not
running in taint mode (-T).  This can be a problem similar to the PATH
environment variable containing the current directory.

The problem is running scripts that try to load not installed modules in
a directory that contains content not controlled by the user, that is a
directory writable by other users such as /tmp or even a directory from
an unpacked tarball received from somebody else.  In that case perl
might find modules in the current directory (or a sub-directory),
tricking the user in running code he does not want to run.

Of course this depends on trying to load a module that is not installed,
but several modules on CPAN behave this way: some try to use a XS module
if available falling back to a Perl implementation if this is not
available; other modules support several implementations of which not
all have to be installed.  Using such a module, even indirectly, might
cause the problems described above.

I understand that removing the current directory from @INC will break
existing code and thus cannot be changed easily, but still feel this
should be changed at some time (no need to haste).

Regards,
Ansgar

PS: I reported this as a bug in the Debian's bug tracker [1] and was
directed to raise this issue here.

[1] <http://bugs.debian.org/588017>


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About